[Foo2zjs-maintainer] Bug#449497: foo2zjs dispute

Giacomo A. Catenazzi cate at debian.org
Tue Oct 28 13:41:41 UTC 2008 

Note: I'm not a CTTE member.

Steffen Joeris wrote:
> Maintainer:
> --------------
> 
> The problem is as follows. The submitter sees the inclusion of the
> getweb script as a violation of the DFSG. The script is provided by
> upstream to download non-free firmware from his upstream webpage.  The
> package includes documentation in README.Debian and a GUI interface
> (hannah-foo2zjs) around the getweb script for the user's
> convenience. Some printers need this non-free firmware to run, others
> don't.  More information can be found in the bugreport. Could we
> please ask you to settle this dispute?
> 
> 
> Submitter:
> --------------
> 
> The submitter sees the getweb script's dependencies on external
> data/files as potentially dangerous.  Once the package enters stable,
> upstream changes (moving/modifying files, etc.) can break
> functionality -- leading to a package that can no longer be considered
> "stable."  External dependencies also potentially leave users
> vulnerable to security risks (the upstream site could be spoofed or
> hijacked and malicious files hosted instead of the legitimate firmware
> files).  Also, the submitter views external dependencies as a possible
> violation of the spirit of the debian policy, which currently is not
> explicitly clear on the issue.  Section 2.2.1 says "... the packages
> in main must not require a package outside of main for compilation or
> execution (thus, the package must not declare a 'Depends',
> 'Recommends', or 'Build-Depends' relationship on a non-main package)."
>  This makes the policy clear about "packages," but it does not address
> dependencies on other external non-packaged non-free files.  It is the
> submitter's belief that Debian's policy should be reworded for clarity
> on situations such as this.

It is not a DFSG violation, because the file are not distributed
by Debian, but I think it violated the policy.

I think Debian should not assume a machine on the net, so I
would interpret "main" in the stricter way.

I don't find an overkill to make a separate package for the
download script. As you will see, maintaining such script
will be complexer and in case of layout change, it don't
requires a updates from most of the package user.

The changing of remote layout is an important problem: the package
could become unusable thus potentially a RC bug, which should not
happens on other bugs in main.
The "contrib" section includes (historically) also the reduced
quality package, so the uninstability of a contrib package could
be temporary accepted.

ciao
	cate

More information about the Foo2zjs-maintainer mailing list